MDVSA-2010:246

Descrição do problema

Multiple vulnerabilities were discovered and corrected in krb5:

An unauthenticated remote attacker could alter a SAM-2 challenge,
affecting the prompt text seen by the user or the kind of response
sent to the KDC. Under some circumstances, this can negate the
incremental security benefit of using a single-use authentication
mechanism token. An unauthenticated remote attacker has a 1/256
chance of forging KRB-SAFE messages in an application protocol if the
targeted pre-existing session uses an RC4 session key. Few application
protocols use KRB-SAFE messages (CVE-2010-1323).

An unauthenticated remote attacker can forge GSS tokens that
are intended to be integrity-protected but unencrypted, if the
targeted pre-existing application session uses a DES session key. An
authenticated remote attacker can forge PACs if using a KDC that does
not filter client-provided PAC data. This can result in privilege
escalation against a service that relies on PAC contents to make
authorization decisions. An unauthenticated remote attacker has a 1/256
chance of swapping a client-issued KrbFastReq into a different KDC-REQ,
if the armor key is RC4. The consequences are believed to be minor
(CVE-2010-1324).

An authenticated remote attacker that controls a legitimate service
principal has a 1/256 chance of forging the AD-SIGNEDPATH signature
if the TGT key is RC4, allowing it to use self-generated evidence
tickets for S4U2Proxy, instead of tickets obtained from the user or
with S4U2Self. Configurations using RC4 for the TGT key are believed
to be rare. An authenticated remote attacker has a 1/256 chance of
forging AD-KDC-ISSUED signatures on authdata elements in tickets
having an RC4 service key, resulting in privilege escalation against
a service that relies on these signatures. There are no known uses
of the KDC-ISSUED authdata container at this time (CVE-2010-4020.

An authenticated remote attacker that controls a legitimate service
principal could obtain a valid service ticket to itself containing
valid KDC-generated authorization data for a client whose TGS-REQ
it has intercepted. The attacker could then use this ticket for
S4U2Proxy to impersonate the targeted client even if the client never
authenticated to the subverted service. The vulnerable configuration
is believed to be rare (CVE-2010-4021).